April 30, 2011

Executive Summary: Contrary to arguments made by many proponents of Internet “Do-Not-Track” concepts, there are vast complexities involved in any rational approach to this area. Can Doctor Who help us understand?

April 29, 2011

Earlier today I noted the sudden disappearance of (and associated back-end server error pages relating to) archival material on Senator Orrin Hatch's site, the day after a Salon author called attention to the Senator's past support for allowing persons not born in the U.S. (such as Arnold Schwarzenegger) to become U.S. president.

The Salon article noted the conflict of this position, supported by many in the GOP at the time, vs. the currently still very much alive "birther" movement and other efforts to even more tightly restrict presidential candidacies. A Salon follow-up article today also mentioned that Hatch's office didn't respond to their original query yesterday on this topic, but added that the Senator's office since then has now claimed that the missing material is simply a coincidence, resulting from a site redesign issue that just happened to take place between Salon's queries about the amendment yesterday, and my noticing the missing pages and visible database errors this morning.

Hey, coincidences can happen, right? Just really bad timing. Or good timing, depending upon your point of view. I'm not a gambling man, and am only an armchair statistician, so I'll let the ersatz-Spocks in the readership calculate the odds.

In any case, here's a little free SEO (Search Engine Optimization) advice for Hatch's Web site designers. Standard good practice when cutting over a new Web site isn't to use the equivalent of a fire axe, that leaves important links not only failing to reach appropriate pages or redirects, but instead lead to pages of back-end database errors that would seem as cryptic as hieroglyphics to most viewers.

Accurately or not, such techniques give the impression of what we might call "Web site 'get the stuff offline fast!' panic redesign" -- or in the UNIX/Linux world the

rm -rf *

school of damage control (don't try that one at home, kids).

Just a remarkable coincidence. OK, let's take them at their word. And if the good Senator is still willing to publicly stand behind his earlier words that so directly conflict with birther sentiments, more power to him, and then of course my apologies for casting any aspersions on his character or motivations, irrespective of the impression given by his site's sudden, coincidental, and quite dramatic perturbations.

Perhaps the Senator will now be one of President Obama's staunchest and most vocal defenders against birther nuttiness, and the Orrin Hatch Web site (new and improved, with suspicious broken links all eventually neatly repaired) will trumpet Hatch's support in this regard for all the world to see!

Just when you think you've seen the ultimate in hypocrisy, that perhaps it's impossible to become further depressed by politicians and their duplicitous antics, out pops another example that digs the pit ever deeper into the muck.

Utah Senator Orrin Hatch provides today's painful example. A GOP Senate member since 1976, Hatch at one time seemed extremely conservative. With some in the Republican party now rushing so far to the right that they're leaving gamma rays in their wake, Hatch seems considerably more moderate now by comparison.

This is a dilemma for Hatch, especially with Tea Party and other assorted right-wing wackos out for his political blood.

Now it appears that Hatch has tried to delete a significant piece of his own history in a calculated (but incredibly inept) attempt to mollify the "birther" constituency -- and Google has helped to provide the evidence.

By now you know all about the birthers and their nutty claims about President Obama. As I long predicted, even the presentation of Obama's long-form birth certificate has not quieted these fanatics. Like the folks who insist the U.S. dynamited the World Trade Center, or that computers can predict the future by playing "bible code" crossword puzzle games with Old Testament texts, the birthers live in their own special world of dreams, immune to logic or reality.

Hatch wants to keep his job -- and the birthers present a serious problem for him. You see, back only eight years ago, when Austrian-born Arnold Schwarzenegger (for all his faults, still a quite moderate, non-wacko guy) was in his ascendancy with the GOP, Hatch proposed a constitutional amendment -- the "Equal Opportunity to Govern Amendment" ["Presidential Eligibility Amendment"] -- to allow persons born abroad (like Schwarzenegger) to become president!

This bit of history has become rather inconvenient for Hatch, when he needs to appeal to Tea Party and birther zealots.

Hatch hasn't talked about his proposed amendment much recently, and he appears to be in the process of trying to perform a 1984 "Ministry of Truth" expunging of this particular aspect in his career.

Apparently until a couple of days ago, the details of Hatch's proposed amendment were still available in the direct archives of his Web site, listed along with his other legislative efforts over the years. But there's a gap in that list of pages now, seemingly where mention of the amendment used to be present.

But what happens today when you follow the associated link back to the Hatch site itself?

Wham! Bam! The link's flushed down the Can!

Hmm. Rather than being shown a proud presentation of Hatch's legislative efforts on this subject, we're unceremoniously dumped onto a back-end ColdFusion error page triggered by a mysteriously missing file.

Not very classy. Seriously sloppy in fact. And to what end?

As I've said so many times before -- the Web has a very, very long memory. Trying to delete or block material from the Internet after it has already been made public is a "double whammy" losing proposition.

You lose because copies of the information are almost certainly going to still be out there. And you lose again -- big time -- because the act of trying to delete or otherwise cover-up the embarrassing or otherwise unwanted data can so easily draw much more attention and scrutiny to the very topic that you wanted to bury -- as in this case.

I've always felt that Orrin Hatch was a decent enough person, even though I've disagreed strongly with many of his political positions. It's disappointing in the extreme to see him trying -- unsuccessfully of course -- to run away from his own work in this manner.

If you've changed your positions on a topic, that's fine -- honest evolution in thinking is nothing to be ashamed of -- quite the opposite in fact. It's stagnation that we really have to fear in so many cases.

But trying to manipulate history in the Internet age is a fool's game.

April 27, 2011

With the continuing escalation of the Sony PlayStation network breach, now involving the potential release of personal information including security questions, passwords, perhaps some user credit card data, and other goodies, Coast to Coast AM radio invited me back on yesterday to discuss this and other Internet-related topics.

It seems clear that Sony can be faulted not only for failed security on their network, and for storing personal data (including reportedly plaintext passwords) in a manner that was accessible to such a breach, but also for utterly abysmal handling of the public information and public relations outreach relating to this entire incident.

There are a couple of loose ends I'd like to deal with now. The first associated with location tracking issues, the second with some software I have available for the Google Cr-48 Chrome notebook.

The new controversies regarding smartphone location tracking data continue, and apparently there will be a Congressional hearing on the topic early next month.

My current understanding is that iOS (iPhone, iPad, etc.) is keeping a comprehensive unencrypted log of location data on the user devices, perhaps at cell tower/site/sector granularity, and (according to some reports at least) sending the data back to Apple at intervals (twice a day?)

Android is reportedly (I have not dug into my own rooted device yet to check this first hand) maintaining an overwriting cache (256 entries?) of similar granularity location data, which is routinely sent up to Google. In general, this represents a much less comprehensive source of location data at the device itself (vs. iOS), since the cache is constantly overwritten by new data. Also, the cache is only accessible directly to users with rooted devices (or via various forensic data extraction equipment). It is not clear to me at this time if this Android location data collection is or is not controllable by the user via the menu-based location options (and the query about location data collection that users receive when they initialize a new Android device).

My overall view on this all is that while I would prefer that users have complete control over location data tracking on any devices and regarding where that data is collected in the cloud, I think many critics of this situation are missing some key points.

I believe that overall the iOS log on the devices is much more dangerous than the Android cache, since the former is so comprehensive. And in California and apparently some other states at least, on-device data is subject to ad hoc extraction by authorities and others without a warrant even being needed.

On the other hand, location data stored at central servers is at least protected by the associated firms' privacy policies -- I assume for example that Google would not release that data without a warrant or other appropriate court order in most or all cases, which would be a much higher standard than the very similar location data collected by the cellular carriers themselves, and apparently frequently released by those carriers with a nod and wink to authorities -- without a warrant in many situations.

This all suggests that viewing this issue in isolation in terms of iOS or Android is a mistake -- that it is necessary to look more broadly not only at carrier privacy policies but also the varying and conflicting standards for protection of user data in different contexts (local devices, "transient" storage at ISPs and other services, "permanent" storage at those entities, and so on).

Ironically, this seems to be a situation where the "traditional" stronger protections from government access to data on a local PC (vs. the cloud) are reversed -- in this kind of tracking case the local device can end up more vulnerable to such data extraction than the cloud services.

Much of this points at the continuing urgent need for strengthening and harmonization of laws regarding data protection in these areas, which I know Google strongly supports. Unfortunately, it appears that the Obama administration, like administrations before it, is resisting key aspects of such efforts (for example, the Obama admin is now actively fighting attempts to give all cloud-based email appropriate protection from perusal by law enforcement with warrants), and results from similar efforts to improve data protection in the EU appear mixed and sometimes contradictory at best right now.

- - -

If you have a Google Cr-48 Chrome notebook and would like a full-featured, browser-based (Java applet) SSH, please let me know. Making this work on the Cr-48 turns out to be nontrivial since the platform doesn't currently have integral support for Java applets. However, this can be dealt with if your notebook is in "developer" mode. Having a full-blown SSH with a variety of terminal emulation modes, etc. in a browser tab (rather than having to use a text-based virtual terminal) can be very useful. I don't have detailed step-by-step install instructions written up yet, but I have it all working. If anyone has interest I have the necessary resources available for download and would of course pass along install notes.

April 21, 2011

Before I proceed to the main topic of this posting, I'd like to apologize to everyone who has sent me email over the last several days that has been unacknowledged and unanswered, and for the sudden cessation of all activity on my main mailing lists -- PRIVACY Forum - People For Internet Responsibility - Network Neutrality Squad -- the IDONS Forums, as well as on my blog, Twitter, and Google Buzz. I am not purposely ignoring you, and I'll try to explain a bit more after the iPhone tracking discussion that begins ... now.

I've probably received more email on the recent "revelations" concerning location "tracking" data being stored on various iOS (iPhone, iPad) devices (and thence apparently backed up routinely to connected computers) than for nearly any other topic in recent memory. Some articles that provide background on this are here and here.

I will not now delve into the question of "who discovered what when" or the specific precision and granularity of the data collected (e.g. cell site triangulation/location vs. GPS) -- except to note that especially in urban regions, the area covered by a single cell sector or microcell can be very small and yield quite precise location information even without user GPS data. The applicability of the Apple/iOS Terms of Service (ToS) to the collection of the location data in question I'll let the lawyers tangle over.

Some observers (many of whom seem to be rather hardcore Apple "fanboys"), appear to be attempting to minimize the seriousness of this situation, suggesting that it really isn't a big deal since Apple reportedly isn't routinely sending the collected location data to their own servers -- some apologists even parroting the tired and dangerous meme that "if you aren't doing anything wrong you have nothing to fear from such data being gathered."

There's just no way to justify what Apple is doing with iOS in this regard. It's impossible to imagine legitimate mitigating excuses.

That something like this could slip through Apple's "privacy standards" process is mysterious and extremely troubling.

Overall, this one isn't even a close call. Apple is dead wrong.

- - -

As I noted above, normal activity on my various venues has been disrupted, including my ability to respond to emails in a predictably timely fashion. This may continue indefinitely or even worsen, and while I will try to keep the associated servers running, I cannot guarantee that this will be possible unless current circumstances change for the better. I have never felt it appropriate to "monetize" any of these efforts, and though I've always operated on extremely limited resources, I've done my best to keep things going in the hope that some good was ultimately being accomplished.

Unfortunately, a series of recent unexpected events has made it impossible for me to maintain the status quo under these conditions. Hope springs eternal for improvements in the situation, but as of now nothing is on the horizon.

So I'd like to use this opportunity to thank everyone who has taken the time to read my sometimes eclectic missives over the many years (whether you've agreed with my various points of view or not!) and a special thank you to those who have actively participated by sending me emails, messages, postings, and various fodder for my analytical and other musings, lists, and forums.

Also, some of you know about a pair of white papers that I've been preparing, one regarding government and private micromanagement and censorship of Google and other search engines, the other discussing N-dimensional "constellation" analysis of user tracking preferences vs. "do-not-track" risks (can this stuff get any geekier?). While I hope to complete these for distribution, like everything else right now they will have to wait until and unless the overall situation takes a turn for the better.

That's really all I want to say publicly about this. Mail to lauren@vortex.com should continue working for the time being at least, though responses may be significantly delayed. My regular contact phone number of (818) 225-2800 continues to be valid for now.

I just don't know how often I'll be posting going forward. I'll do what I can. But again, my thanks to you all, my apologies for the inconvenience, and my best wishes to you and yours. Take care.

April 15, 2011

Greetings. I've written a number of times before about the Obama Administration's NSTIC (National Strategy for Trusted Identities in Cyberspace) initiative (please see below for links to some relevant postings and papers).

This program, which visualizes a vast new "identity ecosystem" for Internet access and usage, linked to government-issued IDs, has been gestating for some time.

Today the program has been formally launched, with the Department of Commerce acting as the public-facing "front man" for the project, but with the deep involvement of the Department of Homeland Security (DHS).

Because I have already said much about NSTIC previously, and since there appear to be few (if any) substantive changes between the preliminary materials (on which I based my earlier analysis) and today's formal version, I will not here repeat all of my detailed concerns, and would urge you to follow the links below for additional, more in-depth information if you are interested -- and you should be interested. You should be interested even if you're not in the U.S., since the impact of the NSTIC scheme will have global implications on the international Internet.

Nobody would reasonably assert that the Internet does not have security and identity issues that create a variety of less than optimal situations.

However, in a free society, we must always be diligent to avoid creating even commendably appearing "solutions" that can create far worse diseases than they were supposedly designed to cure. When you drink the Kool-Aid, you don't want to discover afterwards that it was even inadvertently laced with cyanide.

The biggest lie of NSTIC is that it would actually be "voluntary" -- a term that its proponents use ad nauseam.

The sort of identity ecosystem envisioned by NSTIC would quickly and inevitably become mandatory for a vast range of Web sites and services, and when the system is hacked or otherwise subverted, the results may well be catastrophic for the individuals or organizations involved.

So NSTIC's version of "voluntary" would -- I believe over a relatively brief period of time -- be only as voluntary as having a driver's license if you want to drive, or subjecting yourself to TSA body x-ray scans and invasive pat-downs if you want to fly.

In fact, the situation with NSTIC is actually worse than those examples. It is possible (however inconvenient) to get through life without driving or flying in most situations. But access to services at Web sites is rapidly becoming a necessary component of everyday life.

Concerns over liability, age appropriateness, and other factors will drive Web sites toward requiring the use of NSTIC for access, without any formal government mandates to do so even being necessary in most cases.

NSTIC will be an incredibly powerful enabler of censorship and government tracking. Sites will be under enormous pressure to "wall off" materials considered "inappropriate for children" behind NSTIC-based credential barriers. And using those credentials to access sites will by definition create an almost impossible to refute association to your actual accessing of that data.

No more creating a "throw-away" account if you wish to view something controversial in any of many respects. Age verification via such systems inevitably implies identity verification at one level or another.

NSTIC proponents tout the distributed nature of NSTIC credentials, and the ability of consumers to choose among various NSTIC issuing entities -- there's no central government ID database, they proclaim.

In reality of course, most persons will probably tend to bundle their NSTIC credentials in some manner, for convenience if nothing else -- who wants to have a wallet full of "smart cards" that have to be individually used for each different site that you wish to access. if one SuperSmartCard can rule them all, so to speak?

But even if one chose to keep all services and all NSTIC credentials completely separate from the user standpoint, it wouldn't make much difference. The technologies of data analysis and data re-association are now so advanced that building a detailed dossier of a user's Internet activities even from distributed credentialed sources will likely be straightforward. The deep involvement of DHS within the NSTIC ecosystem virtually guarantees that this will be possible and can be swiftly accomplished, since despite the e-commerce trappings, it's clear that a key element of the DHS security agenda -- being able to track what people do on the Internet -- is ultimately a driving force behind NSTIC.

There's so much more to say, but for now I'll just leave you with two additional thoughts.

The first is technical. We know that PCs of all sorts are fundamentally insecure. Viruses or other malware that often infect these systems have essentially total control over all aspects of the systems' functioning. They can capture keystrokes and other data, they can read your screen, they can make it appear that you're voluntarily accessing particular Web sites -- all without your knowledge, even while you're sitting there at the machine.

Imagine if you will the ramifications of such malevolent technology having access to your NSTIC credentials -- perhaps via a currently inserted smart card linked to your government ID -- and considered by law to be equivalent to your personal signature, even on extremely high-value financial transactions. Just try to refute those transactions, or the record that claims you must have visited that nasty site and downloaded those forbidden files -- despite your protests that you knew nothing about them. Good luck.

Finally, acceptance of NSTIC requires complete faith not only in the veracity of the current government, but of all future governments that could subvert and abuse a widely deployed Internet identity ecosystem. The structures that we build into the Internet now are likely to be essentially permanent fixtures for a very long time -- so even if you have utter trust in the current government at all levels, one must consider what these powerful tools could do in less trustworthy hands in the future.

And even the relatively recent history of our government -- both of Obama, and Bush before him, not to mention Congress -- are hardly reassuring in these regards.

Users' Internet records have been collected by the government on the thinnest of pretenses based on "rubber-stamped" court orders or secret National Security Letters. The Obama administration (like administrations before it) is resisting efforts to protect users' email on remote servers from government snooping without a warrant.

At the same time that ill-advised commercial Internet "do-not-track" concepts are being promoted by some facets of the government, other government players are pushing for massive user data retention regimes, to allow retrospective analysis of your phone calls, email, and virtually every other aspect of your electronic communications.

Meanwhile, U.S. Immigration and Customs Enforcement (ICE) has shut down vast numbers of innocent Web sites with banners suggesting that they were involved in child-abusive pornography, the U.S. government is attempting to leverage control over the Domain Name System to dictate the operations of both U.S. and non-U.S. sites, and Congress is hellbent on the creation a vast censorship regime that would micromanage and dictate what links were legal for Google and other search engines to display (COICA).

NSTIC supporters suggest that it's primarily a private enterprise initiative. Don't you believe it. The federal government is in this up to their (and our) eyeballs. NSTIC represents politicians' and their minions' best hope of "getting effective control" over how everyone uses the Internet. It is the means to the end of destroying the concept of anonymity in general and the ability to criticize and "whistle-blow" in a truly anonymous nature in particular. It is a wish come true for intelligence agencies and government data miners, for "irrefutable" identity is key to so many of their efforts.

The saddest part is that there are supporters of NSTIC who are convinced that the problems it solves are more important than the horrendous risks it brings. To this extent, their motives may well be laudable, but I would assert that they have still been seduced by a technological chimera.

Wrapped in the sheep's clothing of "easier e-commerce" and adorned with an array of other seemingly shiny baubles, NSTIC is the wolf that could mutate the Internet from the greatest free speech tool in human history, into a tyrant's wet dream -- perhaps not immediately, but ultimately nonetheless.

April 07, 2011

Greetings. Congress is hellbent on imposing Internet censorship, using exaggerated claims of piracy as the excuse for draconian COICA and other legislation that would give the U.S. government unparalleled control over the operations and content not only of U.S. based Internet sites, but (via the DNS - Domain Name System) sites around the world in other countries as well.

And with a major target of Congress now appearing to be search engines such as Google, Congressional efforts seem aimed at declaring that even providing a link or other information about an "offending" site should be prohibited.

Attempts to censor and otherwise micromanage the search results of Google and other search engines are an additional enormous threat to free speech and civil liberties globally.

Can these enormously important issues be boiled down to a very short, very quickly produced "Search Story" video?

April 02, 2011

Greetings. A bunch of people have been sending me the same story excerpt details from Steven Levy's new book on Google, In the Plex, and asking for my comments.

The incident in question, as recounted by the book, relates to Eric Schmidt, Google CEO (until this Monday, when Larry Page assumes that role). In brief, the claim is made that Schmidt once requested that certain Google search results regarding his political contributions be removed from the Google Search index.

Obviously, I don't independently know the facts. If the circumstances described never happened at all, then any related discussion is essentially meaningless fantasy.

But Google critics are assuming the story is true, and seem to be conveniently
(and perhaps purposely to provide fodder for their anti-Google campaigns) missing the most important aspect as reported.

For the really noteworthy part of the story isn't a request to remove search results per se. I get emails almost every single day from people asking me how to remove search results from Google for all manner of reasons. My answer is always the same. You can't remove Google search results on demand -- and that's a damned good thing.

In fact, by far the key point of the story about the claimed removal request is that it was not accepted, was not approved, and the supposed results in question remained in the Google Search index.

There are firms where such a request from the CEO would be viewed by underlings as an order from God, to be obeyed immediately and without question.

Not so with Google, according to this Levy story. Google comes out smelling like a rose, its search integrity intact and solid.

Of course, such a point of view is inconvenient for those Google competitors and others who are desperately attempting to prove that Google's search algorithms are somehow unfairly rigged. But this saga says that even Google's CEO couldn't bias the results -- the algorithms' ethical guardians firmly saying no.

This speaks volumes in favor of Google's institutional integrity and ethics -- positive attributes that have become all too rare among large companies of late -- as demonstrated by the near depression triggered in part by Wall Street greed, for example.

Google isn't perfect. No firm is. But for those critics who insist that no powerful company is really ever concerned about ethics, or right and wrong, Levy's tale -- whether true or merely apocryphal -- should be serious food for thought.

April 01, 2011

Greetings. I've spent several hours today working to verify that the story I'm about to relate isn't a bad April Fools' Day joke. As far as I can tell, based on various sources (at least one of which dates back to last night), it appears to be legit -- and totally nuts.

Much as I'm not a fan of Facebook nor Mark Zuckerberg, I'm even less accepting of wacko lawsuits. This one takes the cake.

Apparently "political activist" Larry Klayman of "Freedom Watch" feels that his life has been threatened by Facebook's not rapidly enough taking down a "Third Intifada" page supposedly posted by a radical Palestinian group. So Klayman is suing Facebook and Marc Zuckerberg for in excess of (cue Dr. Evil ...) One Billion Dollars!

Keep in mind that Facebook did take the page down (of course, it is now widely mirrored elsewhere), but not fast enough for Mr. Klayman. Bizarrely, Klayman is accusing Zuckerberg of personally profiting from turmoil in the Middle East and -- at least by inference -- from threats against Jews (no matter that Zuckerberg himself was raised Jewish).

Verifying that the entire nonsense of this lawsuit is actually serious (it even invokes The Social Network as "evidence") was complicated by Klayman's March 31 press release, which (as you can see I've indicated) misspelled the word "Intifada" both times it was used -- as "Infitada" -- just the sort of thing I'd expect in a satirical piece.

But it looks like this is a real lawsuit, not a poor attempt at humor.

I'm pretty disgusted. I'm also very unhappy with the Anti-Defamation League -- lately a seeming champion of censorship in various guises -- who had also been putting pressure on Facebook to pull that page.

As usual, all these attempts to censor information on the Net have mainly resulted in far more attention being drawn to those pages and their various continuing copies than would ever otherwise have been the case.

The cure for information that you don't like is more information, not less. Fight ideas that you disagree with using other ideas, not by trying to suppress the availability of other persons' opinions, however abhorrent you may consider them to be.

Efforts to control information through censorship on the Internet not only dangerously raise false expectations since they will almost inevitably fail in major ways, but they also make everyone involved in pushing such intolerant agendas look like -- you guessed it -- utter fools. And Klayman's lawsuit? "Obscene" is the most polite word I can honestly use here.